Or so the current legislation being proposed in a U.S. House of Representative subcommittee would like it. A hearing scheduled for today at the House Energy and Commerce Committee's Commerce, Manufacturing, and Trade Subcommittee centered around draft legislation proposed by Rep. Mary Bono Mack (R-Calif.) hoping to accomplish a security baseline companies must adhere to, as well as a provision requiring them to notify the government within 48 hours if they have a data breach and “personally identifiable information” is stolen.
According to a recent article in the National Journal, the lawmaker is hopeful following recent hearings she held on the subject. Outraged by recent events, she asks “Why weren’t Sony’s customers notified sooner of the cyberattack?” Continuing, “I fundamentally believe that all consumers have a right to know when their personal information has been compromised,” and “Sony put the burden on consumers to search for information, instead of accepting the burden of notifying them.”
Under the umbrella of protecting consumer information, she wants “reasonable security policies and procedures to protect data containing personal information” to be required, and also the disposal of data they are no longer using after a to-be-specified period of time.
In light of the raft of recent highly-publicized data breaches by Sony, IMF and a slew of others, it seems constituents are pushing up the food chain to get SOMETHING done about what they view are negligent acts from companies not employing the best security practices, resulting potentially in personal financial impact. This has lawmakers scrambling to act. For example, similar style legislation was proposed in 2009, but didn’t pass the Senate.
Concern has been raised about potentially vague terminology in the proposed bill. FTC Commissioner Edith Rodriguez said she’d like better definitions of what constitutes personally identifiable information. There’s also the time lag between initial breach discovery and when it needs to be reported. Rodriguez states, "The notification needs to be provided as soon as is practicable. My first concern is the bill requires a risk assessment and then a report to consumers within 48 hours, but there's no deadline to complete the risk assessment."
The specific implementation details will likely be debated vociferously as the legislation progresses through the process. It seems, however, that some variation of this effort has significant momentum among the constituents, and increasingly companies may face legislative pressure when it comes to data breaches. The good news is there’s still time to ramp up efforts to protect your key infrastructure and customer information before they do.